2.6 Ensure user consent to apps accessing company data on their behalf is not allowed

Information

By default, users can consent to applications accessing your organization's data, although only for some permissions. For example, by default a user can consent to allow an app to access their own mailbox or the Teams conversations for a team the user owns, but cannot consent to allow an app unattended access to read and write to all SharePoint sites in your organization.

Do not allow users to grant consent to apps accessing company data on their behalf.

Rationale:

Attackers commonly use custom applications to trick users into granting them access to company data.

While allowing users to consent by themselves does allow users to easily acquire useful applications that integrate with Microsoft 365, Azure and other services, it can represent a risk if not used and monitored carefully.

Disable future user consent operations to help reduce your threat-surface and mitigate this risk. If user consent is disabled, previous consent grants will still be honored but all future consent operations must be performed by an administrator.

Impact:

If user consent is disabled, previous consent grants will still be honored but all future consent operations must be performed by an administrator. Tenant-wide admin consent can be requested by users through an integrated administrator consent request workflow or through organizational support processes.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To prohibit user consent to apps accessing company data on their behalf, use the Microsoft 365 Admin Center:

Select Admin Centers and Azure Active Directory.

Select Enterprise applications from the Azure navigation pane.

Under Security select Consent and permissions.

Under User consent for applications select Do not allow user consent.

Click the Save option at the top of the window.

To prohibit user consent to apps accessing company data on their behalf, use the Microsoft Online PowerShell Module:

Connect to Microsoft Online service using Connect-MSOLService.

Run the following Microsoft Online PowerShell command:

Set-MsolCompanySettings -UsersPermissionToUserConsentToAppEnabled $False

Default Value:

UI - Yes PowerShell - True

See Also

https://workbench.cisecurity.org/files/3729

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-4, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: microsoft_azure

Control ID: 1dd350844d916d7191de210cbd47f5bd3f1acf5bebefdd69a7cdc08705ea72d4